Finjan Blog

Russian Hacking and The Kaspersky Link

In this age of ransomware, phishing, fake news, social engineering, and the million-record data breach, commercial enterprises and government institutions are more than ever advised to install an up to date and powerful suite of security and antivirus software.

But what happens when the integrity of the very applications that are supposed to protect our institutions, is itself called into question?

It’s a scenario which has been brought to light in recent days, with the emergence of fresh revelations linking a market-leading name in the security software sector with allegations of espionage and potential sabotage, on the part of a sovereign state government.

Russian Hacking – What We Knew

Indications of foreign intrusion into the intelligence communications of agencies in the U.S. were revealed last week in press reports by the Wall Street Journal and other houses – but the background to these findings has only become more specific, in recent days.

In its initial report last week, The Wall Street Journal disclosed that Russian hackers had stolen classified materials from a contractor working for the U.S. National Intelligence Agency (N.S.A.). The contractor – who appears to have acted without malicious intent – had removed the material from the N.S.A.’s headquarters campus at Fort Meade, Maryland, and stored it on a home computer on which Kaspersky software had been installed.

Russian Hacking and The Kaspersky Link – What We Now Know

Beginning in 2014, intelligence and computer forensics analysts working in the service of Israel infiltrated the networks of the Russian-based Kaspersky Lab, and gleaned evidence – which was presented as an alert to the government of the United States – that Kaspersky software was being used to extract American intelligence information.

The role of Israeli intelligence in uncovering this security breach has not previously been disclosed – and neither has the use of Kaspersky software by Russian hackers, in the broader search for American intelligence secrets.

In the nature of these things, the National Security Agency, the White House, the Israeli government, and the Kremlin have all declined to comment on this issue officially. And sources who did speak to the press remain under the protection of anonymity.

But these sources maintain that Israeli intelligence officers informed the N.S.A. that hackers sponsored by the Russian government were using Kaspersky software’s access to high-level systems to aggressively scan for American government classified programs – and relaying that information back to Russian intelligence systems. Evidence for this was provided in the form of screenshots, and other documentation.

The Kaspersky breach doesn’t appear to be directly related to the leak of N.S.A. hacking tools last year attributed to the still unidentified group calling itself the Shadow Brokers. Nor does it appear to be connected with the funneling of hacking data from the C.I.A. to WikiLeaks, which has since been regularly posting classified C.I.A. documents under the name Vault7.

What this incident does highlight is the huge potential for abuse which resides in “trusted” applications like security software. In the words of Blake Darché, a former N.S.A. operator and co-founder of Area 1 Security:

“[Antivirus software] provides consistent, reliable and remote access that can be used for any purpose, from launching a destructive attack to conducting espionage on thousands or even millions of users.”

An Unhealthy Routine

Like any contemporary antivirus / antimalware solution, Kaspersky Lab’s software requires system-wide access and high-level permissions in order to do its job of inspecting files and monitoring behaviors for suspicious activity. But it’s this very aspect which also makes antivirus security software the perfect “back door” for any malicious intruder who manages to compromise or co-opt the system as an ally.

According to two industry officials (who also spoke on condition of anonymity), Kaspersky has on occasion over the past several years made use of a tool known as “silent signatures.” These are strings of digital code which operate in stealth mode to find malware – but which can equally be written to search computers for potentially classified documents, on the basis of keywords or acronyms.

Using keywords like “Top Secret” the Russian hackers were able to scour N.S.A. and possibly other U.S. intelligence agency records, turning the Kaspersky software into what New York Times columnists Nicole Perlroth and Scott Shane describe as: “a sort of Google search for sensitive information.”

A Market of Targets

Globally, Kaspersky software has a user base of 400 million people, with over 60% of the company’s $633 million in annual sales coming from customers in the United States and Western Europe. Included in this are some 22 U.S. government agencies – most notably the Department of Defense, the State Department, the Department of Energy, the Justice Department, Treasury Department and the Army, Navy, and Air Force.

That’s a lot of potential targets in a game of “cat and mouse” involving cyber-espionage and counter-spying, which draws in players from all sides.

The Great Game

The N.S.A. has itself been accused of exploiting antivirus software to gain external intelligence, and in 2015 Kaspersky Labs conducted its own investigation into hacking, which revealed the presence on its company servers of a malicious code which it dubbed Duqu 2.0. In a detailed technical analysis paper, Kasperky’s experts surmise that this was a variant on the code used used to spy on international officials participating in negotiations over Iran’s nuclear program.

Duqu has been attributed by international researchers as originating from the same parties responsible for the Stuxnet cyber-weapon – a joint American-Israeli operation which successfully infiltrated Iran’s Natanz nuclear facility, and used malware to destroy a fifth of Iran’s uranium centrifuges, back in 2010.

Kasperky’s 2015 report makes no assertions of American involvement in infiltrating their networks, but leaves a clear implication that Israel was directly involved – though falling short of mentioning the country by name.

Striking Back

For its part, the U.S. government has taken direct action against the Russian security software firm. After the 2015 breach of the N.S.A. came to light, intelligence officials spent months studying Kaspersky software and conducting controlled experiments to determine the extent of its capabilities and assumed links to the Russian state.

Last month, the U.S. Department of Homeland Security (D.H.S.) issued a blanket ban on the use of Kaspersky software and services in federal government agencies and institutions. Federal agencies were given 90 days to remove the software, effective from the start of the ban on Sept. 13th.

To date, this is the first such action taken by a sovereign state against the Russian security firm – but there exists the possibility that other governments may use similar measures to regulate or curtail the use of Kaspersky software in sensitive departments.

The overriding effect on Kaspersky’s market share and brand reputation remains uncertain, but should be seen and felt in the coming months.

Finjan is Here to Help

Finjan Holdings, a 20 year veteran in cybersecurity, takes the issue of privacy and security very seriously. The company launched a subsidiary in 2015, Finjan Mobile, that currently focuses on mobile apps that educate the consumer. In early September 2017, Finjan Mobile launched VitalSecurity VPN which is the only mobile app to integrate a VPN with a secure, feature-rich browser. The VPN not only hides your location but also encrypts all internet traffic when using public Wifi in a coffee shop, hotel or airport hotspot so you can know that your connection is truly private. The browser offers complete transparency – telling you if the web pages you visit are safe, suspicious or dangerous and what sites are tracking and how they are using your data. The consumer has the option to block some or all of the trackers and advertisements. Other features include a full screen view, touch ID security, ability to privatize your tabs, smart bookmarking and complete control of your browsing history.

Finjan is also a believer in licensing its organically derived cybersecurity IP. By following its Licensing Best Practices Finjan has achieved over $250 million in licensing fees to-date. Today the company has licenses with some of the marquee cybersecurity companies including, but not limited to, its first license with Microsoft back in 2005 and subsequent licenses with Webroot, Proofpoint, Sophos and Avira.

Share this Post

Summary

Article Name

A Closer Look at Russian Hacking and The Kaspersky Link

Description

Beginning in 2014, intelligence and computer analysts working for Israel found that Kaspersky was being used to extract American intelligence information.